A page to show up #1 on Google when searching for "Jeremiah" (Currently #4). Only the prophet and TV show left! I have the edge, TV show is cancelled and the prophet isn't generating any new content.

The prophet, TV show, and that pesky Owyang guy going down!A page to show up #1 on Google when searching for "Jeremiah Grossman", and it FINALLY has!

Thursday, July 31, 2008

My Picks for BlackHat USA 2008

Loads of awesome looking presentations this year! So hard to choose from. I really hope I’ll have time to see most of them and not stuck 24x7 in little rooms answering questions with people holding microphones. :) I hear the conference attendance is PACKED and suggest if you want to get in to see a popular speaker/talk, get there early. Oh, the same goes for the OWASP/WASC Party, get the Breach booth early.

I saw this talk at Blue Hat is Seattle a couple months back. Not only is the data they present extremely compelling, but their humor and speaking style really put it over the top. With so many dry talks in our industry, when speakers are actively engaging it really makes a difference.

Day 1: 11:15 to 12:30

DNS GoodnessDan Kaminsky

The vulnerability itself and disclosure drama aside, I have it on good authority that Dan will provide some important lessons learned as a result of the fiasco with regards to software serviceability. I’m really interested in hearing what he has to say about how we can improve our situation so we can adapt better to a similar scenario down the road.

Day 1: 13:45 to 15:00

Iron Chef: Fuzzing Challenge

This event was a lot of fun last year when I participated as a “celebrity judge”. Just don’t be under the impression that this is a scientific experiment or any kind. Instead simple enjoy the “show” where you can participate if you'd like. You get some code, find vulnerabilities however you want, and share your results. Simple! We should give them RSnake’s blog software. :)

My man RSnake accompanied by Tom Stracener delivering Google zero-days and JavaScript malware PoC abound. Who could miss that! Keep your eyes peeled for Googlers in the front row feverishly taking notes and radioing live information back to the Googleplex. This talk might also renew our sense of paranoia about browser security, if there is such a thing.

Day 1: 16:45 to 18:00

FLEX, AMF 3 and BlazeDS: An AssessmentJacob CarlsonKevin Stadmeyer

Don’t know much about the speakers or the talk itself, but the subject matter looks compelling and particularly timely. I’ve been doing a lot of my own research in Flash/Flex are well and there is a lot of unexplored territory within. XSS and CSRF malware payloads can and will get a lot worse with this stuff.

Going only because I have to speak alongside Arian. :) This presentation is the result of a large amount of experimentation on live websites using seriously obfuscated attack techniques. Some of the methods we’re still not exactly sure why they work, only that they do in extreme edge cases. What we’re also learning is that there is A LOT of web application vulnerability edge cases out there.

Day 2: 11:15 to 12:30

No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler Using Traffic ProfilingIvan RisticOfar Shezaf

A serious toss up between this one and Threats to the 2008 Presidential Election, which I’m sure is also going to be a stellar. For me, I need to stay as up-to-date as I can in WAF technology evolution and Ivan is THE MAN in the open source space.

Day 2: 13:45 to 15:00

REST for the WickedBryan Sullivan

Love the talk title and really interested in learning about any new attack techniques on SOAP and surrounding technologies. This area also continues to be a struggle for automated testing.

Day 2: 15:15 to 16:30

Get Rich or Die Trying – Making Money on the Web, the Black Hat WayJeremiah GrossmanArian Evans

Again, only because I HAVE to be there. :) I’ve been wanting to do a presentation like this for quite some time and have finally been able to pull together enough data and public examples to make it possible. The idea is to demonstrate how to make serious money illicitly using the most simplistic of web attack techniques, all of which have already been used in the real world, and then speculate a little on other possibilities. All story driven, not meant to be grown breaking attack wise, just really thought provoking and fun.

Day 2: 16:45 to 18:00

Pushing the Camel Through the Eye of a NeedleSensePost

Only because the Sensepost guys are super l33t, always have exceptional material, and I’ve never been to a bad presentation yet. Didn’t even bother to read the description, I know it’ll be worthwhile. Hopefully I can make it over there after my presentation.

10 comments:

I hope any new research makes its way to this blog, or ha.ckers. By the way I see that you are presenting at the upcoming OWASP NYC Appsec 2008 convention. Is the cost of the two days combined $400, or is that a single day? I might have to take a few personal days so I can attend.

hey Andrew. I'll be posting the BH slides publicly so nothing is missed. And I'll probably host a webinar a week or two after for anyone remote to see it as well. All based covered. :)

As for AppSec, for $400 is fully worth it. Two days or nothing but webappsec stuff. Unless you live in the area the hotels will probably more costsly than the show. RSnake and I are considering combining our talks together since the stuff we've been quietly working on are closely related and useful to each other. More details to come later.

If I rememeber correctly I made a promise to drop by :) sadly not this year :(. Anyway I will wait for the slides then. Btw does Blackhat also tape speeches? I know the DefCon does. I guess they could earn an extra buck there since I would pay for it to download a couple of them.

No problem, there will be other times. And yes, BH does record the video, I usually get a copy of the DVD. But I also plan to do a webinar encore sometime afterwards as well. So, nothing will be missed.